fix casing of Api

2026-04-29 02:35:15 +02:00 · 2022-06-06 21:18:08 +00:00
parent c5db11ee2e
commit 3c62271dba
4 changed files with 8 additions and 8 deletions
--- a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
+++ b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
@@ -17,10 +17,10 @@ import codeql.ruby.dataflow.BarrierGuards
 import codeql.ruby.TaintTracking
 import DataFlow::PathGraph

-class DecompressionAPIUse extends DataFlow::Node {
+class DecompressionApiUse extends DataFlow::Node {

    // this should find the first argument of Zlib::Inflate.inflate or Zip::File.extract
-    DecompressionAPIUse() {
+    DecompressionApiUse() {
        this = API::getTopLevelMember("Zlib").getMember("Inflate").getAMethodCall("inflate").getArgument(0) or
        this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open").getArgument(0) or
        this = API::getTopLevelMember("Zip").getMember("Entry").getAMethodCall("extract").getArgument(0)
@@ -29,7 +29,7 @@ class DecompressionAPIUse extends DataFlow::Node {
 }

 class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "DecompressionAPIUse" }
+    Configuration() { this = "DecompressionApiUse" }
  
    // this predicate will be used to contstrain our query to find instances where only remote user-controlled data flows to the sink
    override predicate isSource(DataFlow::Node source) {
@@ -38,7 +38,7 @@ class Configuration extends TaintTracking::Configuration {

    // our Decompression APIs defined above will the the sinks we use for this query
    override predicate isSink(DataFlow::Node sink) {
-        sink instanceof DecompressionAPIUse
+        sink instanceof DecompressionApiUse
    }

    // I think it would also be helpful to reduce false positives by adding a simple sanitizer config in the event
--- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.qlref
+++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.qlref
@@ -1 +0,0 @@
-experimental/decompression-api/DecompressionAPI.ql
--- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
+++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
@@ -11,6 +11,6 @@ nodes
 | decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
-| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:3:9:3:45 | call to inflate |
-| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:13:9:13:58 | call to inflate |
-| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | decompression_api.rb:17:9:21:11 | call to open |
+| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
+| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
+| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | call to open |
--- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref
+++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref
@@ -0,0 +1 @@
+experimental/decompression-api/DecompressionApi.ql
				`@@ -1 +0,0 @@`
				`experimental/decompression-api/DecompressionAPI.ql`
				`@@ -0,0 +1 @@`
				`experimental/decompression-api/DecompressionApi.ql`